Re: [phplib] Registering form variables From: Maurice Jumelet (maurice <email protected>)
Date: 09/13/00

I don't agree,

It may be a bit different but it is still possible to fake the web-server
(all you need to do is create a new html page local and load it in your
browser)

Maurice

----- Original Message -----
From: R.B. Scholtus <regiment <email protected>>
To: Maurice Jumelet <maurice <email protected>>; Rex Byrns <rexb <email protected>>;
Phplib <email protected> Netuse. De (E-mail) <phplib <email protected>>
Sent: Tuesday, September 12, 2000 11:46 PM
Subject: Re: [phplib] Registering form variables

> You can also use POST vars to make sure the input is valid (=post data)
and
> not user 'generated' (=get data). For example in order.php3:
>
> $total = $HTTP_POST_VARS["price"] * (int)$HTTP_POST_VARS["order_amount"];
> echo "<p>total price: $total";
>
> which probably saves you a query. Just make sure track vars = on.
>
> Brian
>
> ps. Maybe its interesting to check phpinfo() for HTTP_GET_VARS,
> HTTP_POST_FILES, HTTP_SERVER_VARS also.
> Ive written some functions that generate queries based on HTTP_POST_VARS,
> which is convienent and save. Email me if you want to take a look.
>
>
> ----- Original Message -----
> From: "Maurice Jumelet" <maurice <email protected>>
> To: "Rex Byrns" <rexb <email protected>>; "Phplib <email protected> Netuse. De (E-mail)"
> <phplib <email protected>>
> Sent: Tuesday, September 12, 2000 11:30 PM
> Subject: Re: [phplib] Registering form variables
>
>
> > I'll give an example:
> > Suppose you have an shop with an item shoe (price $35)
> >
> > and you have a form:
> > <FORM action="http://domain.com/order.php3">
> > Amount<INPUT TYPE="text" NAME="order_amount">
> > <INPUT TYPE="HIDDEN" NAME="itm_id" VALUE="1001">
> > <INPUT TYPE="HIDDEN" NAME="price" VALUE="35">
> > </FORM>
> >
> > problem with this is, that you cannot trust the internet user, for a
> > malicious user it would be easy to order this shoe for an other price
bij
> > simply going to
http://domain.com/order.php3?amount=1&itm_id=1001&price=10
> >
> > What you should do is use the ID for the product id and lookup up the
> price
> > in your database in the order.php3 script.
> >
> > Hope this helps,
> > Maurice
> > NOXX.com
> >
> > ----- Original Message -----
> > From: Rex Byrns <rexb <email protected>>
> > To: Phplib <email protected> Netuse. De (E-mail) <phplib <email protected>>
> > Sent: Tuesday, September 12, 2000 9:42 PM
> > Subject: [phplib] Registering form variables
> >
> >
> > >
> > > I would like for someone to explain the use of form variables in
> sessions.
> > > The manual distinctly points out that you should never trust
unvalidated
> > > user input from the internet. I repeatedly see chances to benefit
> greatly
> > > from registering form variables. A shopping cart uses "form
variables"
> to
> > > track purchases. What exactly is the difference? Are these warnings
> only
> > > for the scary stuff like user names, passwords, addresses, etc?
> > >
> > > Thanks
> > > Rex
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> > > For additional commands, e-mail: phplib-help <email protected>
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> > For additional commands, e-mail: phplib-help <email protected>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>